Make graphql query generation configurable (opt-in/opt-out) for readmodels

[msnm]

Hey

The suggestion

From a security perspective, I want to make the automatic generation of queries for readmodels configurable.

Given a readmodel ConsumerProfile Booster exposes by default GraphQL queries ConsumerProfileReadModel ConsumerProfileReadModels ListConsumerProfileReadModels.

Awesome! In my case, I only require the ConsumerProfileReadModel and I don't want to expose the other queries. Now I prevented access to those, by adding a role that no user has.

The improvement

1. In the booster config (see my fork), I've added:

public enableAutomaticGraphQLQueryGenerationFromReadModels = true

This will make the feature backwards-compatible.

2. Extended the ReadmodelMetadata

  export type ReadModelGraphqlQueryGeneratorConfig = 'GRAPHQL_LIST_AND_SINGLE_QUERIES' | 'GRAPHQL_LIST_QUERY' | 'GRAPHQL_SINGLE_QUERY' | 'NO_GRAPHQL_QUERIES';
  export type ReadModelGraphqlSubscriptionGeneratorConfig = 'GRAPHQL_LIST_AND_SINGLE_SUBSCRIPTION' | 'GRAPHQL_LIST_SUBSCRIPTION' | 'GRAPHQL_SINGLE_SUBSCRIPTION' | 'NO_GRAPHQL_SUBSCRIPTIONS';
  
  export interface ReadModelMetadata<TReadModel extends ReadModelInterface = ReadModelInterface> {
    readonly class: Class<ReadModelInterface>
    readonly properties: Array<PropertyMetadata>
    readonly authorizer: ReadModelAuthorizer
    readonly before: NonNullable<ReadModelFilterHooks<TReadModel>['before']>
    readonly graphqlQueryGenerationConfig: ReadModelGraphqlQueryGeneratorConfig
    readonly graphqlSubscriptionGenerationConfig: ReadModelGraphqlSubscriptionGeneratorConfig
  }

Note that this way of expressing what to generate needs more iteration. First draft...

3. Altered the ReadModel decorator, so that we can express the queries or subscriptions to generate. When the Booster Config value is enableAutomaticGraphQLQueryGenerationFromReadModels = false than developers have to explicitly define what to generate, when it is false, it can be omitted and all queries will be generated.

4. Instead of looping over all the readmodels to generate the respective GraphQL queries, we filter out based on the above config what queries to generate for a given ReadModel.

  public generateByKeysQueries(): GraphQLFieldConfigMap<unknown, GraphQLResolverContext> {
    const queries: GraphQLFieldConfigMap<unknown, GraphQLResolverContext> = {}
    const readModelsThatRequireGraphQLQueries = this.filterReadModelsThatRequireGraphQLQueries(this.readModels, this.config);

    for (const readModel of readModelsThatRequireGraphQLQueries) {
      const readModelName = readModel.name
      const sequenceKeyName = this.config.readModelSequenceKeys[readModelName]
      if (sequenceKeyName) {
        queries[readModelName] = this.generateByIdAndSequenceKeyQuery(readModel, sequenceKeyName)
      } else {
        queries[readModelName] = this.generateByIdQuery(readModel)
      }
    }
    return queries
  }

  private filterReadModelsThatRequireGraphQLQueries(readModels: any[], config: any): any[] {
    return readModels.filter((readModel) => {
      const graphqlQueryGenerationConfig = config.readModels[readModel.name].graphqlQueryGenerationConfig;
      return graphqlQueryGenerationConfig === 'GRAPHQL_LIST_AND_SINGLE_QUERIES' || graphqlQueryGenerationConfig === 'GRAPHQL_SINGLE_QUERY';
    });
  }

From my companies perspective we really require this feature, in order to be inline with our security policies/beliefs. It's my first time contributing to open source and to Booster, so please be critical and supportive :)

Here is the fork with branch: https://github.com/msnm/booster/tree/feature/make-graphql-queries-based-on-readmodels-configurable